Skip to content

Usage of enabled-by-default hardening-related compiler flags across Linux distributions

Notifications You must be signed in to change notification settings

jvoisin/compiler-flags-distro

Folders and files

NameName
Last commit message
Last commit date
Nov 7, 2024

Repository files navigation

Default compiler hardening flags used to build packages for Linux distributions

. Alpine Debian Fedora Gentoo Gentoo Hardened Ubuntu OpenSUSE ArchLinux OpenBSD Chimera Linux Android Google Chrome
-fhardened NA no no no no no ? no NA ? NA ?
-D_FORTIFY_SOURCE=2 yes 2011 2007 yes superseded 2008 2005 2021 ? yes 2017 yes
-D_FORTIFY_SOURCE=3 no no 2023 no 2022 2024 2023 2024 ? 2024 no yes
-D_GLIBCXX_ASSERTIONS 2023 no 2018 no 2022 no yes 2021 no no no ?
-D_LIBCPP_HARDENING_MODE_HARDENED/-flibc++-hardening no no no no ? no no no ? ? no ?
-D_LIBCPP_ENABLE_HARDENED_MODE (deprecated) not yet1 no no no 2023 no no no ? ? no yes
-D_LIBCXX_ENABLE_ASSERTIONS (llvm16) no no no no superseded no no no ? yes ? yes
-Wformat -Wformat-security/-Wformat=2 2023 2011 2013 2009 2009 2008 yes 2021 ? 2023 2010 yes
-Wl,-z,noexecstack yes yes yes yes yes yes yes yes yes yes yes
-Wl,-z,relro/-Wl,-z,now yes yes 2015 no yes 2008 2006 2017 ? yes 2013 yes
-fPIE/-fPIC/… 2008 2011 2015 yes yes 2016 2017 2017 yes yes 2012 yes
-fcf-protection/-mcet2 no 2023 2018 no 2021 2019 yes 2021 2023 no no ?
-fsanitize=bounds no no no no no no no no no no 2019, partial no
-fsanitize=cfi2 no no no no no no no no no partial 2018, partial ?
-fsanitize=safe-stack2 no no no no no no no no no no ? ?
-fsanitize=shadow-call-stack2 no no no no no no no no no no 2019, partial ?
-fsanitize=signed-integer-overflow/-ftrapv no no no no no no no no no yes 2018, partial ?
-fsanitize=undefined no no no no no no no no ? no ? ?
-fstack-clash-protection 2023 yes 2018 no 2018 2019 2018 2021 ? yes ? ?
-fstack-protector-strong yes yes yes yes yes 2014 2006 2014 yes yes 2015 ?
-fstack-protector superseded superseded superseded superseded superseded superseded superseded superseded superseded superseded 2009 ?
-ftrivial-auto-var-init=zero no no no no no no no no ? 2023 2020 ?
-mbranch-protection=standard/-mbranch-target-enforce no 2023 2020 no no 2023 no no 2023 no ? ?
-msign-return-address=[all/non-leaf] no superseded superseded no no superseded no no superseded superseded ? ?
-mshstk no no no no no no no no no no ? ?

Note that:

  • some flags are incompatible between each other
  • some flags are more useful than others
  • some flags are superseding some others
  • some libc are incompatible with some flags
  • "partial" means "enabled in a lot of places, but not everywhere, with substantial caveats"
  • while Google Chrome isn't a distribution, given the size of its source code, it's close enough™ to warrant inclusion in the table.

Please do not expect these flags to be enabled in a distros compiler. This repo only tracks compiler hardening flags used to build packages (e.g., rpms or debs). For example, in the deb world settings from both gcc and dpkg are used to build package archives. In most cases Ubuntu sets security hardening flags in the compiler, but a few are only set in dpkg. On Debian and Ubuntu the most recent release's archive builds arm64 packages with -mbranch-protection=standard, but you need to manually set the flag when compiling your own code.

Sources and resources:

Footnotes

  1. As -D_LIBCPP_ENABLE_HARDENED_MODE only works for llvm18, which isn't in Alpine yet. It replaces -D_LIBCPP_ASSERT and -D_LIBCPP_ENABLE_ASSERTIONS.

  2. Not supported by musl libc 2 3 4

About

Usage of enabled-by-default hardening-related compiler flags across Linux distributions

Topics

Resources

Stars

Watchers

Forks